Phishing stories: Red Teaming across the globe from the safety of my desk

NCC Group was hired to conduct an international “Red Team” assessment on a global scale. 40 information security professionals spent four months (and lots of caffeine) targeting 13 client sites across Canada, North America, Ireland, the United Kingdom, Germany and Poland. The mission: Act as attackers with the objective of gaining access to the client’s network, then pivoting internally in order to compromise client domains, sensitive employee information and customer data.

We focused on three attack vectors: physical intrusion, attacks on internet-facing resources and targeted phishing. Though physical break-ins and external network attacks were extremely successful, we’re focusing this blog post on the third attack scenario: targeted spear phishing. We’ll explore how the attack was performed, why it was successful and what conclusions to draw for security-conscious enterprises.

Going phishing

The best way to start a phishing attack is the same as any other potential attack, through understanding and knowing your target. We began our due diligence with targeted intelligence gathering via publicly available information such as WHOIS data, client domains, exposed documents and the Holy Grail for Hackers: social media sites.

Determined attackers can discover a lot about their targets from social media presence, not just in the content that you post (though this can reveal actionable intelligence), but through the relationships you have and how you allow people access to that data. We leveraged the fact that people are generally permissive when accepting connection requests on social media sites by using fake accounts to connect with individuals who have connections to the targeted organisation. This is called Connection Harvesting.

We aimed a number of fake social media accounts at specific individuals who were not our direct targets, but did have lots of connections with employees in the target organisation and specifically employees with desirable job titles. As a result of connecting to those people (e.g. recruiters, miscellaneous ex or current employees), our list of targets expanded significantly. This led to more details about the organisation, such as the software and operating systems in use, along with names of IT staff that are likely to have higher privileges and access. The following diagram shows visualisation of this Connection Harvesting attack:

Targets acquired

From the fake social media accounts we created a list of targets and retrieved the email address format from WHOIS data and visuals of the company’s documents (e.g. firstname.lastname@domainname.tld). We then shifted from the Open Source Intelligence (OSINT) phase to building an active campaign against the client. Intelligence gathering helped ascertain there were no perimeter security products in place that would stop certain forms of attacks, such as macros inside XLS documents. On this occasion, we carried out this intelligence gathering through phone calls requesting information as part of an audit, but an attacker could have easily used a phishing email for the same result.

The first thing we needed was a domain, so we used NCC Group’s TypoFinder tool: ( After careful consideration, we selected a couple of domains, focusing mainly on the TLD. From the intel gathering phase, we discovered that someone in the finance department was well versed in Excel Macros, and as a result they were used as a guinea pig to test the payload.

Selection of the initial target is a critical decision; if our initial attack fails, the target organisation can be tipped off, and in turn implement increased security or employee training to harden against phishing attacks. After choosing the first potential victim, the email was sent from an external domain, under the guise of internal audit from IT support. The victim was informed that macros were required in order for the spreadsheet to function correctly. The following is an example of the type of document that was used, take note of the requirement to enable macros.

First wave

The phishing attack was a success! The target in the Finance department opened the attachment and following instructions in the phishing email and enabled Macros. In doing so granting us remote access to their machine and the target network. This access was used to gain as much information about the network as possible before more active attacks took place. We soon discovered that the targeted organisation allows users to be local administrators on their laptops; as a result we were able to steal the individual’s domain credentials using a PowerShell script called “Invoke-Mimikatz” (

Due to a lack of multi-factor authentication on the company’s deployment of Office365; we gained access not only to the client’s email, but also their SharePoint portal in the Cloud. This was a game changer. It allowed us to tailor the attack plan, as well as the method used for further phishing attacks based on the format, email addresses, automated emails and other information found in the employee inbox. The information revealed in the SharePoint portal also helped refine physical breaches later in the engagement, through details of physical offices, floor plans, the standard format for ID badges and the procedures for visiting physical locations.

Second w ave

The second wave of phishing emails were targeted against approximately ten individuals that were found to have permissions for wireless access based upon permission information discovered via AD group membership. These users were targeted to provide another route into the client’s network through their wireless networks, which are exposed at specific office locations.
We received seven remote shell connections back from the second wave of phishing, along with a couple of out-of-office replies. The second wave of attacks led to acquiring domain credentials and machine certificates which were handed over to the team doing the physical breach to provide them with wireless access to the client’s network.


Eventually, our campaign was detected – but this did not spell the end! One of the major issues of concern was that as part of the organisation’s incident response, users that had fallen victim to the phishing attacks were not informed to change their passwords. As a result, we still had access to the Office365 portal as those users. One of the compromised users turned out to be a technical project manager. Looking through their mailbox it was clear that asking for details about user’s machines and their IDs was a normal part of their role.

As a result, that person’s account was used to create an internally originated phishing campaign. The campaign phished various other users with the same tactic and rules in place to ensure the compromised user didn’t receive replies in relation to the phishing email.

As the testing window for the phishing drew to a close and access to various users and systems were gained, it was time to turn up the noise!

Published date:  25 April 2018

Written by:  Shaun Jones

comments powered by Disqus

Filter By Service

Filter By Date